On Thu, 2011-02-24 at 15:31 +, Julien Reveret wrote:
> [snip]
>
> It seems that mandriva already released an update for avahi :
>
> http://lists.grok.org.uk/pipermail/full-disclosure/2011-February/079525.html
>
> I guess you're facing the same issue.
0.6.28-4 has been accepted to unstable
> Package: avahi-daemon
> Version: 0.6.27-2
> Tags: security
> Severity: critical
> Justification: Introduces possible denial-of-service scenario.
>
> Hi,
>
> when I scan my server from another machine on the network using nmap, I
> get this:
[snip]
It seems tha
I can confirm this.
Am 23.02.2011 um 13:36 schrieb Alexander Kurtz:
> Package: avahi-daemon
> Version: 0.6.27-2
> Tags: security
> Severity: critical
> Justification: Introduces possible denial-of-service scenario.
>
> Hi,
>
> when I scan my server from another m
Package: avahi-daemon
Version: 0.6.27-2
Tags: security
Severity: critical
Justification: Introduces possible denial-of-service scenario.
Hi,
when I scan my server from another machine on the network using nmap, I
get this:
# nmap -sU -p5353 192.168.2.2
Starting Nmap 5.00 ( http
On Sat, Mar 04, 2006 at 10:12:56AM +0100, Loïc Minier wrote:
> But you're still way more secure while sitting behind a NAT with
> responsible coworkers than connected to the Internet directly, without
> any firewall, and that's where desktops sit most of the time.
Well, a NATed gateway is not t
, since rhythmbox is part of the gnome task, and it was already included
in the gnome meta-package in sarge I guess you are correct (now).
However, for sid users, notice that rhythmbox depended on avahi-daemon from
version 0.9.2-3 (2006-01-22) until version 0.9.3-1 (2006-02-05).
So, any sid use
On Sat, Mar 04, 2006 at 11:32:20AM +0100, Loïc Minier wrote:
> On Sat, Mar 04, 2006, Javier Fernández-Sanguino Peña wrote:
> > Rhythmbox is a very easy to use music playing and management program
> > which supports a wide range of audio formats (including mp3 and ogg).
> > The current version al
On Sat, Mar 04, 2006 at 01:26:24PM -0500, Joey Hess wrote:
> If avahi is not running, rhythmbox prints this to std(something) on
> startup and/or when you enble sharing in its prefs:
Notice that *most* users will not see this as they will start up rhythmbox
from a GNOME application menu and not t
Loïc Minier wrote:
> I completely agree there are a number of broken recommends, but
> shouldn't we fix these? Yes, it's painful. :(
I'd prefer not to break new installations in order to find them. This
thread shows that pulling in recommends by default in aptitude is enough
to expose problima
On Sat, Mar 04, 2006, Joey Hess wrote:
> If you mean a bug, no, I go out of my way to not install recommends,
> because Debian is still rife with long and useless recommends chains.
I completely agree there are a number of broken recommends, but
shouldn't we fix these? Yes, it's painful. :(
-
Javier Fernández-Sanguino Peña wrote:
> - rhythmbox does not mention music sharing *at*all* in the package
> description. Even the GUI doesn't mention this (when starting it up
> for the first time) nor the documentation (in it's 'Introduction')
Rhythmbox doesn't go broadcasting files over the
Philipp A. Hartmann wrote:
> But still it's only a Recommends. Therefore, rhythmbox needs to handle
> the absence og avahi-daemon gracefully, since you cannot rely on it's
> installation. For sake of plug-and-play and comfort, this might be even
> done in some kind of GUI me
Loïc Minier wrote:
> On Fri, Mar 03, 2006, Joey Hess wrote:
> > Standard Desktop task installs do not install Recommends anyway, so
> > rhythmbox does not pull in avahi-daemon in those situations and you need
> > to deal with that somehow.
>
> It's a but in task i
On Sat, Mar 04, 2006 at 11:16:08AM +0100, Loïc Minier wrote:
I must add people on this list are obviously biased towards security.
I guess you can stake out the ground of "biased against security", but
that's kind of a bad place to be for a software distributor in the 21st
century.
--
Micha
On Sat, Mar 04, 2006 at 10:26:31AM +0100, Loïc Minier wrote:
My point of view is that installing the application gets them the
functionalities they'd expect to find in the default setup.
And I agreed that perhaps the rhythmbox community would expect that,
which is why I reconsidered and asked
On Sat, Mar 04, 2006, Javier Fernández-Sanguino Peña wrote:
> Rhythmbox is a very easy to use music playing and management program
> which supports a wide range of audio formats (including mp3 and ogg).
> The current version also supports Internet Radio, iPod integration,
> Audio CD burning, an
Hi,
I'm stepping out of this discussion, but would like to summarize it a
little (this is obviously biased):
- the current default situation is on purpose, and is a choice between
security and usability, completely subjective
- RB can be enhanced to work better when avahi-d
On Sat, Mar 04, 2006 at 11:07:25AM +0100, Loïc Minier wrote:
> I'm doing my final pass on the deb-sec part of this discussion, I don't
> intend to participate much further, no new arguments are popping up.
Quite sincerily, this discussion is getting nowhere. There are sufficient
arguments in thi
, so the GNOME task pulls it in by default, which means you get the
feature and the open port.
> I think, your proposed solutions do not cover this issue at all. Users,
> who know what they want and what they are doing, do not run into this
> problem, since they can manually deselect avah
On Sat, Mar 04, 2006 at 09:51:31AM +0100, Loïc Minier wrote:
> On Fri, Mar 03, 2006, Joey Hess wrote:
> > Standard Desktop task installs do not install Recommends anyway, so
> > rhythmbox does not pull in avahi-daemon in those situations and you need
> > to deal with that some
On Sat, Mar 04, 2006 at 10:31:02AM +0100, Loïc Minier wrote:
> > And for the same thing, why would a typical desktop machine provide users
> > to share even files! My desktop system at home (and my parent's and my
> > uncle's and whatnot) are completely stand-alone desktop systems, connected
> > t
On Fri, Mar 03, 2006, Javier Fernández-Sanguino Peña wrote:
> (IMHO this dicussion is reaching to a point in which it should move to
> d-devel instead, but I'll keep it here)
Uh, please don't move it there, in the contrary, this discussion
already reached flame-level, and no arguments are coming
Recommends are installed automatically.
I think, your proposed solutions do not cover this issue at all. Users,
who know what they want and what they are doing, do not run into this
problem, since they can manually deselect avahi-daemon. We are indeed
talking about regular users. In another mail, you
On Fri, Mar 03, 2006, Javier Fernández-Sanguino Peña wrote:
> On Fri, Mar 03, 2006 at 02:36:38PM +0100, Loïc Minier wrote:
> > This is a desktop machine, it should permit sharing of files on your
> > local network. DNS servers have their port 53 open to respond to name
> > resolution queries, j
On Fri, Mar 03, 2006, Michael Stone wrote:
> On Fri, Mar 03, 2006 at 02:36:38PM +0100, Loïc Minier wrote:
> >Do you have any other solution permitting the same functionalities, but
> >without the listening port?
> No. If someone wants that functionality than that's how they need to get
> it. The
Hi,
On Sat, Mar 04, 2006, Javier Fernández-Sanguino Peña wrote:
> > I thought security people would recommend havin a per-port ACL for
> > allowed traffic, and port visibility set to limit the view to only the
> > router when not otherwise required.
> I don't think you have seen many co
On Fri, Mar 03, 2006, Henrique de Moraes Holschuh wrote:
> On Fri, 03 Mar 2006, Loïc Minier wrote:
> > On Fri, Mar 03, 2006, Henrique de Moraes Holschuh wrote:
> > > True. But that requires a broken kernel, which we patch regularly as a
> > > security procedure anyway. Mounting removable filesyst
On Fri, Mar 03, 2006, Joey Hess wrote:
> Standard Desktop task installs do not install Recommends anyway, so
> rhythmbox does not pull in avahi-daemon in those situations and you need
> to deal with that somehow.
It's a but in task installation then.
--
Loïc Minier <[EMAIL PRO
On Fri, Mar 03, 2006 at 06:47:34PM +0100, Loïc Minier wrote:
> Hi,
>
> On Fri, Mar 03, 2006, Henrique de Moraes Holschuh wrote:
> > Inside the network? Most managed networks have filtering at the borders, at
> > key router nodes, and if it has a more advanced distributed-firewall
> > ment
ill point at unavailable
> features.
>And the popup mixing application level information with package level
> information would also be awful: "You should install package foo to get
> this functionality".
Standard Desktop task installs do not install Recommends anyway, s
On Fri, 03 Mar 2006, Loïc Minier wrote:
> proposed multiple options in other posts, all of them ignored. People
> *not* trying for a middle-ground solution are those claiming an open
> port by default is unacceptable, no matter what.
You will notice I didn't propose you disable open ports by d
On Fri, 03 Mar 2006, Loïc Minier wrote:
> On Fri, Mar 03, 2006, Henrique de Moraes Holschuh wrote:
> > > Well, no: that's the opposite of plug'n'play. See, if you're USB stick
> > > contains a malicious vfat file system, it gets automatically mounted
> > > nevertheless. It's a feature.
> > Not
On Fri, 03 Mar 2006, Loïc Minier wrote:
> On Fri, Mar 03, 2006, Henrique de Moraes Holschuh wrote:
> > True. But that requires a broken kernel, which we patch regularly as a
> > security procedure anyway. Mounting removable filesystems suid,dev allow a
> > lot more damage *by design* in the stand
On Fri, Mar 03, 2006, Henrique de Moraes Holschuh wrote:
> True. But that requires a broken kernel, which we patch regularly as a
> security procedure anyway. Mounting removable filesystems suid,dev allow a
> lot more damage *by design* in the standard Linux security-model.
And we also support
On Fri, Mar 03, 2006, Henrique de Moraes Holschuh wrote:
> > Well, no: that's the opposite of plug'n'play. See, if you're USB stick
> > contains a malicious vfat file system, it gets automatically mounted
> > nevertheless. It's a feature.
> Not in my servers, it doesn't. And I should add, not
Hi,
On Fri, Mar 03, 2006, Henrique de Moraes Holschuh wrote:
> On Fri, 03 Mar 2006, Loïc Minier wrote:
> > If music sharing is a questionable feature to you, you don't need to
> > discuss this further, you're obviously the security guy, talking in
> > debian-security@ of stuff he doesn'
ic program (as rhythmbox) Recommends:
> > avahi-daemon, when IMHO it should be Suggests: . The functionality
> > provided by avahi-daemon (a network service for sharing music) is not
> > something
> > I would say that all rhythmbox users require (based on rhythmbox'
> >
On Fri, Mar 03, 2006 at 02:36:38PM +0100, Loïc Minier wrote:
> This is a desktop machine, it should permit sharing of files on your
> local network. DNS servers have their port 53 open to respond to name
> resolution queries, just consider your desktop installation to be a
> name server respon
On Fri, 03 Mar 2006, Loïc Minier wrote:
> If music sharing is a questionable feature to you, you don't need to
> discuss this further, you're obviously the security guy, talking in
> debian-security@ of stuff he doesn't want to support security-wise, and
You are *not allowed* to support securit
On Fri, Mar 03, 2006 at 11:20:56AM -0300, Henrique de Moraes Holschuh wrote:
So, I repeat my question: should we hunt down and file bugs (grave or worse)
on packages automounting removable media without nosid, nodev ?
Here's what I'd suggest:
Write a policy that covers best practices and see h
On Fri, 03 Mar 2006, Michael Stone wrote:
> On Fri, Mar 03, 2006 at 10:47:56AM -0300, Henrique de Moraes Holschuh wrote:
> >Mounting malicious filesystems automatically (vfat can't be one AFAIK, but
> >it won't bork if you tell it to be nosuid, nodev either) is never a
> >feature,
> >it is a secur
On Fri, Mar 03, 2006 at 10:47:56AM -0300, Henrique de Moraes Holschuh wrote:
Not in my servers, it doesn't. And I should add, not even in my desktops:
all removable filesystems are mounted nodev, nosuid.
Mounting malicious filesystems automatically (vfat can't be one AFAIK, but
it won't bork if
On Fri, Mar 03, 2006 at 02:45:28PM +0100, Loïc Minier wrote:
Indeed, but it's even worse! avahi-daemon recommends libnss-mdns which
recommends zeroconf. However, both Recommends are bogus. There's a
bug against the second one, and I talked a little with Sjoerd on the
first one, an
On Fri, Mar 03, 2006 at 02:36:38PM +0100, Loïc Minier wrote:
Do you have any other solution permitting the same functionalities, but
without the listening port?
No. If someone wants that functionality than that's how they need to get
it. The question has always been about what level of effor
On Fri, 03 Mar 2006, Loïc Minier wrote:
> This is a desktop machine, it should permit sharing of files on your
> local network. DNS servers have their port 53 open to respond to name
In what planet do you live? Desktop machines are plugged to extremely
hostile networks all the time (think cabl
Hi there,
For people on the list interested in the discussion, Michael Stone has
filed #355064, where the "discussion" went on.
Bye,
--
Loïc Minier <[EMAIL PROTECTED]>
Current Earth status: NOT DESTROYED
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscri
t it's not related to avahi)
> Package: avahi-daemon
> Recommends: libnss-mdns
> The dependency chains here get a little scary.
Indeed, but it's even worse! avahi-daemon recommends libnss-mdns which
recommends zeroconf. However, both Recommends are bogus. There's a
bug
0.0:53 0.0.0.0:*
LISTEN 18007/pdnsd
udp0 0 0.0.0.0:53530.0.0.0:*
29989/avahi-daemon
And so what? Do you want to proove me it listens on the network?
That's by design, the point is to listen for queries.
> Why did you disable them?
I
portAvahi) which, BTW, is not that
>>common. The keyword here is 'exposure'.
>>
>>
> The avahi-daemon is nicely chrooted, and runs under a different user.
> You just can't have the functionality of "plug'n'play" on a network
> without any
Hi,
On Thu, Feb 23, 2006, Javier Fernández-Sanguino Peña wrote:
> IMHO the problem here is having a music program (as rhythmbox) Recommends:
> avahi-daemon, when IMHO it should be Suggests: . The functionality
> provided by avahi-daemon (a network service for sharing musi
Quoting Javier Fernández-Sanguino Peña ([EMAIL PROTECTED]):
> You are confusing worms, Blaster exploited the DCOM RPC vulnerability
> (CAN-2003-0352). The one that exploited CAN-2002-0649 and
> CAN-2002-1145 in both SQL Server and MSDE was SQLExp / Slammer.
True. Thank you, and apologies for my
On Thu, Feb 23, 2006 at 12:47:44PM +0100, aliban wrote:
> >
> I am sorry, but I am quite new linux and debian at all and you may excuse
> my question:
>
> why is there no rule to "prompt the user" for all applications that open
> ports on non-localhost?
The default policy is a compromise between
Javier Fernández-Sanguino Peña schrieb:
>If I were you (aliban) I would bug rhythmbox. It seems that Bug #349478 got
>it to reduce the Depends: on that daemon to a Recommends:, I think it would
>be better to have that as Suggests:
>Disclaimer: I don't know much about rhythmbox and the relationship
On Thu, Feb 23, 2006 at 12:04:50PM +0100, Javier Fernández-Sanguino Peña wrote:
The former worm targeted a critical OS service, the later a database service.
Neither of which were actually useful if bound to loopback, BTW.
Actually, they were. A lot of the embedded DB servers were only used by
worm targeted a critical OS service, the later a database service.
Neither of which were actually useful if bound to loopback, BTW.
IMHO the problem here is having a music program (as rhythmbox) Recommends:
avahi-daemon, when IMHO it should be Suggests: . The functionality
provided by avahi-daemo
nss-mdns does mdns too, but it's not related to avahi)
No?
Package: avahi-daemon
Source: avahi
Version: 0.6.7-1
Depends: libavahi-common3 (>= 0.6.4), libavahi-core3 (>= 0.6.0), libc6 (>= 2.3.5-1),
libcap1, libdaemon0, libdbus-1-2 (>= 0.60), libexpat1 (>= 1.95.8), adduser, dbu
On Wed, 22 Feb 2006, aliban wrote:
> On debian testing the rhythmbox suggested to install the avahi-daemon that
> listens on all interfaces by default.
That's on par with the avahi-daemon's idea of how things should happen, and
it makes sense. Not that I'd want that active
Quoting aliban ([EMAIL PROTECTED]):
> MS Blaster infected many million system within seconds...
Relying on the vulnerable MSDE embedded SQL database engine being
embedded into a large number of consumer software products, and
irresponsibly left bound to all network ports, not just loopback.
Don'
Loïc Minier schrieb:
>>On Wed, Feb 22, 2006, aliban wrote:
>>
>>
>
>
In this case you are doing the same mistakes Microsoft did with Windows
all the time:
default installation comes with a 'strange' service (that nobody needs,
therefore nobody knows) sitting some
;>>
>>
>>
>>
>> I am the package maintainer of Rhythmbox, am I the package maintainer
>> you refer to? Or did you mean the avahi-daemon package manager?
>>
>>
>
>
No, I don't think you are responsible for this. the package manager
On Wed, Feb 22, 2006, Michael Stone wrote:
> >From a pragmatic standpoint, pulling in nss-mdns is a PITA because it
> makes certain name queries take forever--so there are reasons aside from
> security to think this is annoying.
(nss-mdns does mdns too, but it's not related to avahi)
> Securit
On Wed, Feb 22, 2006 at 03:23:42PM +0100, Loïc Minier wrote:
If you do install a GNOME desktop environment, expect to have a web
browser which might run malicious code, games which might be sgid
games, and tons of stuff which might be opening more doors than you
like.
First, there's a differenc
On Wed, Feb 22, 2006, aliban wrote:
> In this case you are doing the same mistakes Microsoft did with Windows
> all the time:
Please, no generalities.
> default installation comes with a 'strange' service (that nobody needs,
> therefore nobody knows) sitting somewhere around and listening on ALL
Hi,
On Wed, Feb 22, 2006, aliban wrote:
> as the package maintainer seems to ignore my complaint I forward the
> discussion to debian-user mailing list.
I am the package maintainer of Rhythmbox, am I the package maintainer
you refer to? Or did you mean the avahi-daemon package m
is
>system. If you are so worried about security, then why not check out
>those NINE new Avahi packages when apt says they are going to be
>installed? If you miss it there, it is very prominently displayed on
>startup that the Avahi daemon is starting. "Oh noes! I'd better sto
apt says they are going to be
installed? If you miss it there, it is very prominently displayed on
startup that the Avahi daemon is starting. "Oh noes! I'd better stop
that and figure out exactly what it is." If you interested in a
security report on Avahi, Ubuntu has o
Hi,
as the package maintainer seems to ignore my complaint I forward the discussion
to debian-user mailing list.
On debian testing the rhythmbox suggested to install the avahi-daemon that
listens on all interfaces by default.
I think this kind of install behaviour is insecure even if the
67 matches
Mail list logo